1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <database name=
"ovn-sb" title=
"OVN Southbound Database">
4 This database holds logical and physical configuration and state for the
5 Open Virtual Network (OVN) system to support virtual network abstraction.
6 For an introduction to OVN, please see
<code>ovn-architecture
</code>(
7).
10 The OVN Southbound database sits at the center of the OVN
11 architecture. It is the one component that speaks both southbound
12 directly to all the hypervisors and gateways, via
13 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>, and
14 northbound to the Cloud Management System, via
<code>ovn-northd
</code>:
17 <h2>Database Structure
</h2>
20 The OVN Southbound database contains classes of data with
21 different properties, as described in the sections below.
24 <h3>Physical network
</h3>
27 Physical network tables contain information about the chassis nodes in the
28 system. This contains all the information necessary to wire the overlay,
29 such as IP addresses, supported tunnel types, and security keys.
33 The amount of physical network data is small (O(n) in the number of
34 chassis) and it changes infrequently, so it can be replicated to every
39 The
<ref table=
"Chassis"/> and
<ref table=
"Encap"/> tables are the physical
43 <h3>Logical Network
</h3>
46 Logical network tables contain the topology of logical switches and
47 routers, ACLs, firewall rules, and everything needed to describe how
48 packets traverse a logical network, represented as logical datapath flows
49 (see Logical Datapath Flows, below).
53 Logical network data may be large (O(n) in the number of logical ports, ACL
54 rules, etc.). Thus, to improve scaling, each chassis should receive only
55 data related to logical networks in which that chassis participates.
59 The logical network data is ultimately controlled by the cloud management
60 system (CMS) running northbound of OVN. That CMS determines the entire OVN
61 logical configuration and therefore the logical network data at any given
62 time is a deterministic function of the CMS's configuration, although that
63 happens indirectly via the
<ref db=
"OVN_Northbound"/> database and
64 <code>ovn-northd
</code>.
68 Logical network data is likely to change more quickly than physical network
69 data. This is especially true in a container environment where containers
70 are created and destroyed (and therefore added to and deleted from logical
75 The
<ref table=
"Logical_Flow"/>,
<ref table=
"Multicast_Group"/>,
<ref
76 table=
"Address_Group"/>,
<ref table=
"DHCP_Options"/>,
<ref
77 table=
"DHCPv6_Options"/>, and
<ref table=
"DNS"/> tables contain logical
81 <h3>Logical-physical bindings
</h3>
84 These tables link logical and physical components. They show the current
85 placement of logical components (such as VMs and VIFs) onto chassis, and
86 map logical entities to the values that represent them in tunnel
91 These tables change frequently, at least every time a VM powers up or down
92 or migrates, and especially quickly in a container environment. The
93 amount of data per VM (or VIF) is small.
97 Each chassis is authoritative about the VMs and VIFs that it hosts at any
98 given time and can efficiently flood that state to a central location, so
99 the consistency needs are minimal.
103 The
<ref table=
"Port_Binding"/> and
<ref table=
"Datapath_Binding"/> tables
104 contain binding data.
107 <h3>MAC bindings
</h3>
110 The
<ref table=
"MAC_Binding"/> table tracks the bindings from IP addresses
111 to Ethernet addresses that are dynamically discovered using ARP (for IPv4)
112 and neighbor discovery (for IPv6). Usually, IP-to-MAC bindings for virtual
113 machines are statically populated into the
<ref table=
"Port_Binding"/>
114 table, so
<ref table=
"MAC_Binding"/> is primarily used to discover bindings
115 on physical networks.
118 <h2>Common Columns
</h2>
121 Some tables contain a special column named
<code>external_ids
</code>. This
122 column has the same form and purpose each place that it appears, so we
123 describe it here to save space later.
127 <dt><code>external_ids
</code>: map of string-string pairs
</dt>
129 Key-value pairs for use by the software that manages the OVN Southbound
130 database rather than by
131 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>. In
132 particular,
<code>ovn-northd
</code> can use key-value pairs in this
133 column to relate entities in the southbound database to higher-level
134 entities (such as entities in the OVN Northbound database). Individual
135 key-value pairs in this column may be documented in some cases to aid
136 in understanding and troubleshooting, but the reader should not mistake
137 such documentation as comprehensive.
141 <table name=
"SB_Global" title=
"Southbound configuration">
143 Southbound configuration for an OVN system. This table must have exactly
147 <group title=
"Status">
148 This column allow a client to track the overall configuration state of
151 <column name=
"nb_cfg">
152 Sequence number for the configuration. When a CMS or
153 <code>ovn-nbctl
</code> updates the northbound database, it increments
154 the
<code>nb_cfg
</code> column in the
<code>NB_Global
</code> table in
155 the northbound database. In turn, when
<code>ovn-northd
</code> updates
156 the southbound database to bring it up to date with these changes, it
157 updates this column to the same value.
161 <group title=
"Common Columns">
162 <column name=
"external_ids">
163 See
<em>External IDs
</em> at the beginning of this document.
166 <group title=
"Connection Options">
167 <column name=
"connections">
168 Database clients to which the Open vSwitch database server should
169 connect or on which it should listen, along with options for how these
170 connections should be configured. See the
<ref table=
"Connection"/>
171 table for more information.
174 Global SSL configuration.
179 <table name=
"Chassis" title=
"Physical Network Hypervisor and Gateway Information">
181 Each row in this table represents a hypervisor or gateway (a chassis) in
182 the physical network. Each chassis, via
183 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>, adds
184 and updates its own row, and keeps a copy of the remaining rows to
185 determine how to reach other hypervisors.
189 When a chassis shuts down gracefully, it should remove its own row.
190 (This is not critical because resources hosted on the chassis are equally
191 unreachable regardless of whether the row is present.) If a chassis
192 shuts down permanently without removing its row, some kind of manual or
193 automatic cleanup is eventually needed; we can devise a process for that
198 OVN does not prescribe a particular format for chassis names.
199 ovn-controller populates this column using
<ref key=
"system-id"
200 table=
"Open_vSwitch" column=
"external_ids" db=
"Open_vSwitch"/>
201 in the Open_vSwitch database's
<ref table=
"Open_vSwitch"
202 db=
"Open_vSwitch"/> table. ovn-controller-vtep populates this
203 column with
<ref table=
"Physical_Switch" column=
"name"
204 db=
"hardware_vtep"/> in the hardware_vtep database's
205 <ref table=
"Physical_Switch" db=
"hardware_vtep"/> table.
208 <column name=
"hostname">
209 The hostname of the chassis, if applicable. ovn-controller will populate
210 this column with the hostname of the host it is running on.
211 ovn-controller-vtep will leave this column empty.
214 <column name=
"nb_cfg">
215 Sequence number for the configuration. When
<code>ovn-controller
</code>
216 updates the configuration of a chassis from the contents of the
217 southbound database, it copies
<ref table=
"SB_Global" column=
"nb_cfg"/>
218 from the
<ref table=
"SB_Global"/> table into this column.
221 <column name=
"external_ids" key=
"ovn-bridge-mappings">
222 <code>ovn-controller
</code> populates this key with the set of bridge
223 mappings it has been configured to use. Other applications should treat
224 this key as read-only. See
<code>ovn-controller
</code>(
8) for more
228 <column name=
"external_ids" key=
"datapath-type">
229 <code>ovn-controller
</code> populates this key with the datapath type
230 configured in the
<ref table=
"Bridge" column=
"datapath_type"/> column of
231 the Open_vSwitch database's
<ref table=
"Bridge" db=
"Open_vSwitch"/>
232 table. Other applications should treat this key as read-only. See
233 <code>ovn-controller
</code>(
8) for more information.
236 <column name=
"external_ids" key=
"iface-types">
237 <code>ovn-controller
</code> populates this key with the interface types
238 configured in the
<ref table=
"Open_vSwitch" column=
"iface_types"/> column
239 of the Open_vSwitch database's
<ref table=
"Open_vSwitch"
240 db=
"Open_vSwitch"/> table. Other applications should treat this key as
241 read-only. See
<code>ovn-controller
</code>(
8) for more information.
244 <group title=
"Common Columns">
245 The overall purpose of these columns is described under
<code>Common
246 Columns
</code> at the beginning of this document.
248 <column name=
"external_ids"/>
251 <group title=
"Encapsulation Configuration">
253 OVN uses encapsulation to transmit logical dataplane packets
257 <column name=
"encaps">
258 Points to supported encapsulation configurations to transmit
259 logical dataplane packets to this chassis. Each entry is a
<ref
260 table=
"Encap"/> record that describes the configuration.
264 <group title=
"Gateway Configuration">
266 A
<dfn>gateway
</dfn> is a chassis that forwards traffic between the
267 OVN-managed part of a logical network and a physical VLAN, extending a
268 tunnel-based logical network into a physical network. Gateways are
269 typically dedicated nodes that do not host VMs and will be controlled
270 by
<code>ovn-controller-vtep
</code>.
273 <column name=
"vtep_logical_switches">
274 Stores all VTEP logical switch names connected by this gateway
275 chassis. The
<ref table=
"Port_Binding"/> table entry with
276 <ref column=
"options" table=
"Port_Binding"/>:
<code>vtep-physical-switch
</code>
277 equal
<ref table=
"Chassis"/> <ref column=
"name" table=
"Chassis"/>, and
278 <ref column=
"options" table=
"Port_Binding"/>:
<code>vtep-logical-switch
</code>
279 value in
<ref table=
"Chassis"/>
280 <ref column=
"vtep_logical_switches" table=
"Chassis"/>, will be
281 associated with this
<ref table=
"Chassis"/>.
286 <table name=
"Encap" title=
"Encapsulation Types">
288 The
<ref column=
"encaps" table=
"Chassis"/> column in the
<ref
289 table=
"Chassis"/> table refers to rows in this table to identify
290 how OVN may transmit logical dataplane packets to this chassis.
291 Each chassis, via
<code>ovn-controller
</code>(
8) or
292 <code>ovn-controller-vtep
</code>(
8), adds and updates its own rows
293 and keeps a copy of the remaining rows to determine how to reach
298 The encapsulation to use to transmit packets to this chassis.
299 Hypervisors must use either
<code>geneve
</code> or
300 <code>stt
</code>. Gateways may use
<code>vxlan
</code>,
301 <code>geneve
</code>, or
<code>stt
</code>.
304 <column name=
"options">
306 Options for configuring the encapsulation. Currently, the only
307 option that has been defined is
<code>csum
</code>.
311 <code>csum
</code> indicates that encapsulation checksums can be
312 transmitted and received with reasonable performance. It is a hint
313 to senders transmitting data to this chassis that they should use
314 checksums to protect OVN metadata.
<code>ovn-controller
</code>
315 populates this key with the value defined in
316 <ref table=
"Open_vSwitch" column=
"external_ids:ovn-encap-csum"/> column
317 of the Open_vSwitch database's
<ref table=
"Open_vSwitch"
318 db=
"Open_vSwitch"/> table. Other applications should treat this key as
319 read-only. See
<code>ovn-controller
</code>(
8) for more information.
323 In terms of performance, this actually significantly increases
324 throughput in most common cases when running on Linux based hosts
325 without NICs supporting encapsulation hardware offload (around
60% for
326 bulk traffic). The reason is that generally all NICs are capable of
327 offloading transmitted and received TCP/UDP checksums (viewed as
328 ordinary data packets and not as tunnels). The benefit comes on the
329 receive side where the validated outer checksum can be used to
330 additionally validate an inner checksum (such as TCP), which in turn
331 allows aggregation of packets to be more efficiently handled by the
336 Not all devices see such a benefit. The most notable exception is
337 hardware VTEPs. These devices are designed to not buffer entire
338 packets in their switching engines and are therefore unable to
339 efficiently compute or validate full packet checksums. In addition
340 certain versions of the Linux kernel are not able to fully take
341 advantage of encapsulation NIC offloads in the presence of checksums.
342 (This is actually a pretty narrow corner case though - earlier
343 versions of Linux don't support encapsulation offloads at all and
344 later versions support both offloads and checksums well.)
348 <code>csum
</code> defaults to
<code>false
</code> for hardware VTEPs and
349 <code>true
</code> for all other cases.
354 The IPv4 address of the encapsulation tunnel endpoint.
358 <table name=
"Address_Set" title=
"Address Sets">
360 See the documentation for the
<ref table=
"Address_Set"
361 db=
"OVN_Northbound"/> table in the
<ref db=
"OVN_Northbound"/> database
365 <column name=
"name"/>
366 <column name=
"addresses"/>
369 <table name=
"Logical_Flow" title=
"Logical Network Flows">
371 Each row in this table represents one logical flow.
372 <code>ovn-northd
</code> populates this table with logical flows
373 that implement the L2 and L3 topologies specified in the
374 <ref db=
"OVN_Northbound"/> database. Each hypervisor, via
375 <code>ovn-controller
</code>, translates the logical flows into
376 OpenFlow flows specific to its hypervisor and installs them into
381 Logical flows are expressed in an OVN-specific format, described here. A
382 logical datapath flow is much like an OpenFlow flow, except that the
383 flows are written in terms of logical ports and logical datapaths instead
384 of physical ports and physical datapaths. Translation between logical
385 and physical flows helps to ensure isolation between logical datapaths.
386 (The logical flow abstraction also allows the OVN centralized
387 components to do less work, since they do not have to separately
388 compute and push out physical flows to each chassis.)
392 The default action when no flow matches is to drop packets.
395 <p><em>Architectural Logical Life Cycle of a Packet
</em></p>
398 This following description focuses on the life cycle of a packet through
399 a logical datapath, ignoring physical details of the implementation.
400 Please refer to
<em>Architectural Physical Life Cycle of a Packet
</em> in
401 <code>ovn-architecture
</code>(
7) for the physical information.
405 The description here is written as if OVN itself executes these steps,
406 but in fact OVN (that is,
<code>ovn-controller
</code>) programs Open
407 vSwitch, via OpenFlow and OVSDB, to execute them on its behalf.
411 At a high level, OVN passes each packet through the logical datapath's
412 logical ingress pipeline, which may output the packet to one or more
413 logical port or logical multicast groups. For each such logical output
414 port, OVN passes the packet through the datapath's logical egress
415 pipeline, which may either drop the packet or deliver it to the
416 destination. Between the two pipelines, outputs to logical multicast
417 groups are expanded into logical ports, so that the egress pipeline only
418 processes a single logical output port at a time. Between the two
419 pipelines is also where, when necessary, OVN encapsulates a packet in a
420 tunnel (or tunnels) to transmit to remote hypervisors.
424 In more detail, to start, OVN searches the
<ref table=
"Logical_Flow"/>
425 table for a row with correct
<ref column=
"logical_datapath"/>, a
<ref
426 column=
"pipeline"/> of
<code>ingress
</code>, a
<ref column=
"table_id"/>
427 of
0, and a
<ref column=
"match"/> that is true for the packet. If none
428 is found, OVN drops the packet. If OVN finds more than one, it chooses
429 the match with the highest
<ref column=
"priority"/>. Then OVN executes
430 each of the actions specified in the row's
<ref table=
"actions"/> column,
431 in the order specified. Some actions, such as those to modify packet
432 headers, require no further details. The
<code>next
</code> and
433 <code>output
</code> actions are special.
437 The
<code>next
</code> action causes the above process to be repeated
438 recursively, except that OVN searches for
<ref column=
"table_id"/> of
1
439 instead of
0. Similarly, any
<code>next
</code> action in a row found in
440 that table would cause a further search for a
<ref column=
"table_id"/> of
441 2, and so on. When recursive processing completes, flow control returns
442 to the action following
<code>next
</code>.
446 The
<code>output
</code> action also introduces recursion. Its effect
447 depends on the current value of the
<code>outport
</code> field. Suppose
448 <code>outport
</code> designates a logical port. First, OVN compares
449 <code>inport
</code> to
<code>outport
</code>; if they are equal, it treats
450 the
<code>output
</code> as a no-op by default. In the common
451 case, where they are different, the packet enters the egress
452 pipeline. This transition to the egress pipeline discards
453 register data, e.g.
<code>reg0
</code> ...
<code>reg9
</code> and
454 connection tracking state, to achieve uniform behavior regardless
455 of whether the egress pipeline is on a different hypervisor
456 (because registers aren't preserve across tunnel encapsulation).
460 To execute the egress pipeline, OVN again searches the
<ref
461 table=
"Logical_Flow"/> table for a row with correct
<ref
462 column=
"logical_datapath"/>, a
<ref column=
"table_id"/> of
0, a
<ref
463 column=
"match"/> that is true for the packet, but now looking for a
<ref
464 column=
"pipeline"/> of
<code>egress
</code>. If no matching row is found,
465 the output becomes a no-op. Otherwise, OVN executes the actions for the
466 matching flow (which is chosen from multiple, if necessary, as already
471 In the
<code>egress
</code> pipeline, the
<code>next
</code> action acts as
472 already described, except that it, of course, searches for
473 <code>egress
</code> flows. The
<code>output
</code> action, however, now
474 directly outputs the packet to the output port (which is now fixed,
475 because
<code>outport
</code> is read-only within the egress pipeline).
479 The description earlier assumed that
<code>outport
</code> referred to a
480 logical port. If it instead designates a logical multicast group, then
481 the description above still applies, with the addition of fan-out from
482 the logical multicast group to each logical port in the group. For each
483 member of the group, OVN executes the logical pipeline as described, with
484 the logical output port replaced by the group member.
487 <p><em>Pipeline Stages
</em></p>
490 <code>ovn-northd
</code> populates the
<ref table=
"Logical_Flow"/> table
491 with the logical flows described in detail in
<code>ovn-northd
</code>(
8).
494 <column name=
"logical_datapath">
495 The logical datapath to which the logical flow belongs.
498 <column name=
"pipeline">
500 The primary flows used for deciding on a packet's destination are the
501 <code>ingress
</code> flows. The
<code>egress
</code> flows implement
502 ACLs. See
<em>Logical Life Cycle of a Packet
</em>, above, for details.
506 <column name=
"table_id">
507 The stage in the logical pipeline, analogous to an OpenFlow table number.
510 <column name=
"priority">
511 The flow's priority. Flows with numerically higher priority take
512 precedence over those with lower. If two logical datapath flows with the
513 same priority both match, then the one actually applied to the packet is
517 <column name=
"match">
519 A matching expression. OVN provides a superset of OpenFlow matching
520 capabilities, using a syntax similar to Boolean expressions in a
521 programming language.
525 The most important components of match expression are
526 <dfn>comparisons
</dfn> between
<dfn>symbols
</dfn> and
527 <dfn>constants
</dfn>, e.g.
<code>ip4.dst ==
192.168.0.1</code>,
528 <code>ip.proto ==
6</code>,
<code>arp.op ==
1</code>,
<code>eth.type ==
529 0x800</code>. The logical AND operator
<code>&&</code> and
530 logical OR operator
<code>||
</code> can combine comparisons into a
535 Matching expressions also support parentheses for grouping, the logical
536 NOT prefix operator
<code>!
</code>, and literals
<code>0</code> and
537 <code>1</code> to express ``false'' or ``true,'' respectively. The
538 latter is useful by itself as a catch-all expression that matches every
543 Match expressions also support a kind of function syntax. The
544 following functions are supported:
548 <dt><code>is_chassis_resident(
<var>lport
</var>)
</code></dt>
550 Evaluates to true on a chassis on which logical port
<var>lport
</var>
551 (a quoted string) resides, and to false elsewhere. This function was
552 introduced in OVN
2.7.
556 <p><em>Symbols
</em></p>
559 <em>Type
</em>. Symbols have
<dfn>integer
</dfn> or
<dfn>string
</dfn>
560 type. Integer symbols have a
<dfn>width
</dfn> in bits.
564 <em>Kinds
</em>. There are three kinds of symbols:
570 <dfn>Fields
</dfn>. A field symbol represents a packet header or
571 metadata field. For example, a field
572 named
<code>vlan.tci
</code> might represent the VLAN TCI field in a
577 A field symbol can have integer or string type. Integer fields can
578 be nominal or ordinal (see
<em>Level of Measurement
</em>,
585 <dfn>Subfields
</dfn>. A subfield represents a subset of bits from
586 a larger field. For example, a field
<code>vlan.vid
</code> might
587 be defined as an alias for
<code>vlan.tci[
0.
.11]
</code>. Subfields
588 are provided for syntactic convenience, because it is always
589 possible to instead refer to a subset of bits from a field
594 Only ordinal fields (see
<em>Level of Measurement
</em>,
595 below) may have subfields. Subfields are always ordinal.
601 <dfn>Predicates
</dfn>. A predicate is shorthand for a Boolean
602 expression. Predicates may be used much like
1-bit fields. For
603 example,
<code>ip4
</code> might expand to
<code>eth.type ==
604 0x800</code>. Predicates are provided for syntactic convenience,
605 because it is always possible to instead specify the underlying
610 A predicate whose expansion refers to any nominal field or
611 predicate (see
<em>Level of Measurement
</em>, below) is nominal;
612 other predicates have Boolean level of measurement.
618 <em>Level of Measurement
</em>. See
619 http://en.wikipedia.org/wiki/Level_of_measurement for the statistical
620 concept on which this classification is based. There are three
627 <dfn>Ordinal
</dfn>. In statistics, ordinal values can be ordered
628 on a scale. OVN considers a field (or subfield) to be ordinal if
629 its bits can be examined individually. This is true for the
630 OpenFlow fields that OpenFlow or Open vSwitch makes ``maskable.''
634 Any use of a nominal field may specify a single bit or a range of
635 bits, e.g.
<code>vlan.tci[
13.
.15]
</code> refers to the PCP field
636 within the VLAN TCI, and
<code>eth.dst[
40]
</code> refers to the
637 multicast bit in the Ethernet destination address.
641 OVN supports all the usual arithmetic relations (
<code>==
</code>,
642 <code>!=
</code>,
<code><</code>,
<code><=
</code>,
643 <code>></code>, and
<code>>=
</code>) on ordinal fields and
644 their subfields, because OVN can implement these in OpenFlow and
645 Open vSwitch as collections of bitwise tests.
651 <dfn>Nominal
</dfn>. In statistics, nominal values cannot be
652 usefully compared except for equality. This is true of OpenFlow
653 port numbers, Ethernet types, and IP protocols are examples: all of
654 these are just identifiers assigned arbitrarily with no deeper
655 meaning. In OpenFlow and Open vSwitch, bits in these fields
656 generally aren't individually addressable.
660 OVN only supports arithmetic tests for equality on nominal fields,
661 because OpenFlow and Open vSwitch provide no way for a flow to
662 efficiently implement other comparisons on them. (A test for
663 inequality can be sort of built out of two flows with different
664 priorities, but OVN matching expressions always generate flows with
669 String fields are always nominal.
675 <dfn>Boolean
</dfn>. A nominal field that has only two values,
0
676 and
1, is somewhat exceptional, since it is easy to support both
677 equality and inequality tests on such a field: either one can be
678 implemented as a test for
0 or
1.
682 Only predicates (see above) have a Boolean level of measurement.
686 This isn't a standard level of measurement.
692 <em>Prerequisites
</em>. Any symbol can have prerequisites, which are
693 additional condition implied by the use of the symbol. For example,
694 For example,
<code>icmp4.type
</code> symbol might have prerequisite
695 <code>icmp4
</code>, which would cause an expression
<code>icmp4.type ==
696 0</code> to be interpreted as
<code>icmp4.type ==
0 &&
697 icmp4
</code>, which would in turn expand to
<code>icmp4.type ==
0
698 && eth.type ==
0x800 && ip4.proto ==
1</code> (assuming
699 <code>icmp4
</code> is a predicate defined as suggested under
700 <em>Types
</em> above).
703 <p><em>Relational operators
</em></p>
706 All of the standard relational operators
<code>==
</code>,
707 <code>!=
</code>,
<code><</code>,
<code><=
</code>,
708 <code>></code>, and
<code>>=
</code> are supported. Nominal
709 fields support only
<code>==
</code> and
<code>!=
</code>, and only in a
710 positive sense when outer
<code>!
</code> are taken into account,
711 e.g. given string field
<code>inport
</code>,
<code>inport ==
712 "eth0"</code> and
<code>!(inport !=
"eth0")
</code> are acceptable, but
713 not
<code>inport !=
"eth0"</code>.
717 The implementation of
<code>==
</code> (or
<code>!=
</code> when it is
718 negated), is more efficient than that of the other relational
722 <p><em>Constants
</em></p>
725 Integer constants may be expressed in decimal, hexadecimal prefixed by
726 <code>0x
</code>, or as dotted-quad IPv4 addresses, IPv6 addresses in
727 their standard forms, or Ethernet addresses as colon-separated hex
728 digits. A constant in any of these forms may be followed by a slash
729 and a second constant (the mask) in the same form, to form a masked
730 constant. IPv4 and IPv6 masks may be given as integers, to express
735 String constants have the same syntax as quoted strings in JSON (thus,
736 they are Unicode strings).
740 Some operators support sets of constants written inside curly braces
741 <code>{
</code> ...
<code>}
</code>. Commas between elements of a set,
742 and after the last elements, are optional. With
<code>==
</code>,
743 ``
<code><var>field
</var> == {
<var>constant1
</var>,
744 <var>constant2
</var>,
</code> ...
<code>}
</code>'' is syntactic sugar
745 for ``
<code><var>field
</var> ==
<var>constant1
</var> ||
746 <var>field
</var> ==
<var>constant2
</var> ||
</code>...
<code></code>.
747 Similarly, ``
<code><var>field
</var> != {
<var>constant1
</var>,
748 <var>constant2
</var>,
</code>...
<code> }
</code>'' is equivalent to
749 ``
<code><var>field
</var> !=
<var>constant1
</var> &&
750 <var>field
</var> !=
<var>constant2
</var> &&
751 </code>...
<code></code>''.
755 You may refer to a set of IPv4, IPv6, or MAC addresses stored in the
756 <ref table=
"Address_Set"/> table by its
<ref column=
"name"
757 table=
"Address_Set"/>. An
<ref table=
"Address_Set"/> with a name
758 of
<code>set1
</code> can be referred to as
762 <p><em>Miscellaneous
</em></p>
765 Comparisons may name the symbol or the constant first,
766 e.g.
<code>tcp.src ==
80</code> and
<code>80 == tcp.src
</code> are both
771 Tests for a range may be expressed using a syntax like
<code>1024 <=
772 tcp.src
<=
49151</code>, which is equivalent to
<code>1024 <=
773 tcp.src
&& tcp.src
<=
49151</code>.
777 For a one-bit field or predicate, a mention of its name is equivalent
778 to
<code><var>symobl
</var> ==
1</code>, e.g.
<code>vlan.present
</code>
779 is equivalent to
<code>vlan.present ==
1</code>. The same is true for
780 one-bit subfields, e.g.
<code>vlan.tci[
12]
</code>. There is no
781 technical limitation to implementing the same for ordinal fields of all
782 widths, but the implementation is expensive enough that the syntax
783 parser requires writing an explicit comparison against zero to make
784 mistakes less likely, e.g. in
<code>tcp.src !=
0</code> the comparison
785 against
0 is required.
789 <em>Operator precedence
</em> is as shown below, from highest to lowest.
790 There are two exceptions where parentheses are required even though the
791 table would suggest that they are not:
<code>&&</code> and
792 <code>||
</code> require parentheses when used together, and
793 <code>!
</code> requires parentheses when applied to a relational
794 expression. Thus, in
<code>(eth.type ==
0x800 || eth.type ==
0x86dd)
795 && ip.proto ==
6</code> or
<code>!(arp.op ==
1)
</code>, the
796 parentheses are mandatory.
800 <li><code>()
</code></li>
801 <li><code>== !=
< <=
> >=
</code></li>
802 <li><code>!
</code></li>
803 <li><code>&& ||
</code></li>
807 <em>Comments
</em> may be introduced by
<code>//
</code>, which extends
808 to the next new-line. Comments within a line may be bracketed by
809 <code>/*
</code> and
<code>*/
</code>. Multiline comments are not
813 <p><em>Symbols
</em></p>
816 Most of the symbols below have integer type. Only
<code>inport
</code>
817 and
<code>outport
</code> have string type.
<code>inport
</code> names a
818 logical port. Thus, its value is a
<ref column=
"logical_port"/> name
819 from the
<ref table=
"Port_Binding"/> table.
<code>outport
</code> may
820 name a logical port, as
<code>inport
</code>, or a logical multicast
821 group defined in the
<ref table=
"Multicast_Group"/> table. For both
822 symbols, only names within the flow's logical datapath may be used.
826 The
<code>reg
</code><var>X
</var> symbols are
32-bit integers.
827 The
<code>xxreg
</code><var>X
</var> symbols are
128-bit integers,
828 which overlay four of the
32-bit registers:
<code>xxreg0
</code>
829 overlays
<code>reg0
</code> through
<code>reg3
</code>, with
830 <code>reg0
</code> supplying the most-significant bits of
831 <code>xxreg0
</code> and
<code>reg3
</code> the least-signficant.
832 <code>xxreg1
</code> similarly overlays
<code>reg4
</code> through
837 <li><code>reg0
</code>...
<code>reg9
</code></li>
838 <li><code>xxreg0
</code> <code>xxreg1
</code></li>
839 <li><code>inport
</code> <code>outport
</code></li>
840 <li><code>flags.loopback
</code></li>
841 <li><code>eth.src
</code> <code>eth.dst
</code> <code>eth.type
</code></li>
842 <li><code>vlan.tci
</code> <code>vlan.vid
</code> <code>vlan.pcp
</code> <code>vlan.present
</code></li>
843 <li><code>ip.proto
</code> <code>ip.dscp
</code> <code>ip.ecn
</code> <code>ip.ttl
</code> <code>ip.frag
</code></li>
844 <li><code>ip4.src
</code> <code>ip4.dst
</code></li>
845 <li><code>ip6.src
</code> <code>ip6.dst
</code> <code>ip6.label
</code></li>
846 <li><code>arp.op
</code> <code>arp.spa
</code> <code>arp.tpa
</code> <code>arp.sha
</code> <code>arp.tha
</code></li>
847 <li><code>tcp.src
</code> <code>tcp.dst
</code> <code>tcp.flags
</code></li>
848 <li><code>udp.src
</code> <code>udp.dst
</code></li>
849 <li><code>sctp.src
</code> <code>sctp.dst
</code></li>
850 <li><code>icmp4.type
</code> <code>icmp4.code
</code></li>
851 <li><code>icmp6.type
</code> <code>icmp6.code
</code></li>
852 <li><code>nd.target
</code> <code>nd.sll
</code> <code>nd.tll
</code></li>
853 <li><code>ct_mark
</code> <code>ct_label
</code></li>
856 <code>ct_state
</code>, which has several Boolean subfields. The
857 <code>ct_next
</code> action initializes the following subfields:
861 <code>ct.trk
</code>: Always set to true by
<code>ct_next
</code>
862 to indicate that connection tracking has taken place. All other
863 <code>ct
</code> subfields have
<code>ct.trk
</code> as a
866 <li><code>ct.new
</code>: True for a new flow
</li>
867 <li><code>ct.est
</code>: True for an established flow
</li>
868 <li><code>ct.rel
</code>: True for a related flow
</li>
869 <li><code>ct.rpl
</code>: True for a reply flow
</li>
870 <li><code>ct.inv
</code>: True for a connection entry in a bad state
</li>
873 The
<code>ct_dnat
</code>,
<code>ct_snat
</code>, and
874 <code>ct_lb
</code> actions initialize the following subfields:
878 <code>ct.dnat
</code>: True for a packet whose destination IP
879 address has been changed.
882 <code>ct.snat
</code>: True for a packet whose source IP
883 address has been changed.
890 The following predicates are supported:
894 <li><code>eth.bcast
</code> expands to
<code>eth.dst == ff:ff:ff:ff:ff:ff
</code></li>
895 <li><code>eth.mcast
</code> expands to
<code>eth.dst[
40]
</code></li>
896 <li><code>vlan.present
</code> expands to
<code>vlan.tci[
12]
</code></li>
897 <li><code>ip4
</code> expands to
<code>eth.type ==
0x800</code></li>
898 <li><code>ip4.mcast
</code> expands to
<code>ip4.dst[
28.
.31] ==
0xe</code></li>
899 <li><code>ip6
</code> expands to
<code>eth.type ==
0x86dd</code></li>
900 <li><code>ip
</code> expands to
<code>ip4 || ip6
</code></li>
901 <li><code>icmp4
</code> expands to
<code>ip4
&& ip.proto ==
1</code></li>
902 <li><code>icmp6
</code> expands to
<code>ip6
&& ip.proto ==
58</code></li>
903 <li><code>icmp
</code> expands to
<code>icmp4 || icmp6
</code></li>
904 <li><code>ip.is_frag
</code> expands to
<code>ip.frag[
0]
</code></li>
905 <li><code>ip.later_frag
</code> expands to
<code>ip.frag[
1]
</code></li>
906 <li><code>ip.first_frag
</code> expands to
<code>ip.is_frag
&& !ip.later_frag
</code></li>
907 <li><code>arp
</code> expands to
<code>eth.type ==
0x806</code></li>
908 <li><code>nd
</code> expands to
<code>icmp6.type == {
135,
136}
&& icmp6.code ==
0 && ip.ttl ==
255</code></li>
909 <li><code>nd_ns
</code> expands to
<code>icmp6.type ==
135 && icmp6.code ==
0 && ip.ttl ==
255</code></li>
910 <li><code>nd_na
</code> expands to
<code>icmp6.type ==
136 && icmp6.code ==
0 && ip.ttl ==
255</code></li>
911 <li><code>tcp
</code> expands to
<code>ip.proto ==
6</code></li>
912 <li><code>udp
</code> expands to
<code>ip.proto ==
17</code></li>
913 <li><code>sctp
</code> expands to
<code>ip.proto ==
132</code></li>
917 <column name=
"actions">
919 Logical datapath actions, to be executed when the logical flow
920 represented by this row is the highest-priority match.
924 Actions share lexical syntax with the
<ref column=
"match"/> column. An
925 empty set of actions (or one that contains just white space or
926 comments), or a set of actions that consists of just
927 <code>drop;
</code>, causes the matched packets to be dropped.
928 Otherwise, the column should contain a sequence of actions, each
929 terminated by a semicolon.
933 The following actions are defined:
937 <dt><code>output;
</code></dt>
940 In the ingress pipeline, this action executes the
941 <code>egress
</code> pipeline as a subroutine. If
942 <code>outport
</code> names a logical port, the egress pipeline
943 executes once; if it is a multicast group, the egress pipeline runs
944 once for each logical port in the group.
948 In the egress pipeline, this action performs the actual
949 output to the
<code>outport
</code> logical port. (In the egress
950 pipeline,
<code>outport
</code> never names a multicast group.)
954 By default, output to the input port is implicitly dropped,
955 that is,
<code>output
</code> becomes a no-op if
956 <code>outport
</code> ==
<code>inport
</code>. Occasionally
957 it may be useful to override this behavior, e.g. to send an
958 ARP reply to an ARP request; to do so, use
959 <code>flags.loopback =
1</code> to allow the packet to
960 "hair-pin" back to the input port.
964 <dt><code>next;
</code></dt>
965 <dt><code>next(
<var>table
</var>);
</code></dt>
966 <dt><code>next(pipeline=
<var>pipeline
</var>, table=
<var>table
</var>);
</code></dt>
968 Executes the given logical datapath
<var>table
</var> in
969 <var>pipeline
</var> as a subroutine. The default
<var>table
</var> is
970 just after the current one. If
<var>pipeline
</var> is specified, it
971 may be
<code>ingress
</code> or
<code>egress
</code>; the default
972 <var>pipeline
</var> is the one currently executing. Actions in the
973 ingress pipeline may not use
<code>next
</code> to jump into the
974 egress pipeline (use the
<code>output
</code> instead), but
975 transitions in the opposite direction are allowed.
978 <dt><code><var>field
</var> =
<var>constant
</var>;
</code></dt>
981 Sets data or metadata field
<var>field
</var> to constant value
982 <var>constant
</var>, e.g.
<code>outport =
"vif0";
</code> to set the
983 logical output port. To set only a subset of bits in a field,
984 specify a subfield for
<var>field
</var> or a masked
985 <var>constant
</var>, e.g. one may use
<code>vlan.pcp[
2] =
1;
</code>
986 or
<code>vlan.pcp =
4/
4;
</code> to set the most sigificant bit of
991 Assigning to a field with prerequisites implicitly adds those
992 prerequisites to
<ref column=
"match"/>; thus, for example, a flow
993 that sets
<code>tcp.dst
</code> applies only to TCP flows,
994 regardless of whether its
<ref column=
"match"/> mentions any TCP
999 Not all fields are modifiable (e.g.
<code>eth.type
</code> and
1000 <code>ip.proto
</code> are read-only), and not all modifiable fields
1001 may be partially modified (e.g.
<code>ip.ttl
</code> must assigned
1002 as a whole). The
<code>outport
</code> field is modifiable in the
1003 <code>ingress
</code> pipeline but not in the
<code>egress
</code>
1008 <dt><code><var>field1
</var> =
<var>field2
</var>;
</code></dt>
1011 Sets data or metadata field
<var>field1
</var> to the value of data
1012 or metadata field
<var>field2
</var>, e.g.
<code>reg0 =
1013 ip4.src;
</code> copies
<code>ip4.src
</code> into
<code>reg0
</code>.
1014 To modify only a subset of a field's bits, specify a subfield for
1015 <var>field1
</var> or
<var>field2
</var> or both, e.g.
<code>vlan.pcp
1016 = reg0[
0.
.2];
</code> copies the least-significant bits of
1017 <code>reg0
</code> into the VLAN PCP.
1021 <var>field1
</var> and
<var>field2
</var> must be the same type,
1022 either both string or both integer fields. If they are both
1023 integer fields, they must have the same width.
1027 If
<var>field1
</var> or
<var>field2
</var> has prerequisites, they
1028 are added implicitly to
<ref column=
"match"/>. It is possible to
1029 write an assignment with contradictory prerequisites, such as
1030 <code>ip4.src = ip6.src[
0.
.31];
</code>, but the contradiction means
1031 that a logical flow with such an assignment will never be matched.
1035 <dt><code><var>field1
</var> <-
> <var>field2
</var>;
</code></dt>
1038 Similar to
<code><var>field1
</var> =
<var>field2
</var>;
</code>
1039 except that the two values are exchanged instead of copied. Both
1040 <var>field1
</var> and
<var>field2
</var> must modifiable.
1044 <dt><code>ip.ttl--;
</code></dt>
1047 Decrements the IPv4 or IPv6 TTL. If this would make the TTL zero
1048 or negative, then processing of the packet halts; no further
1049 actions are processed. (To properly handle such cases, a
1050 higher-priority flow should match on
1051 <code>ip.ttl == {
0,
1};
</code>.)
1054 <p><b>Prerequisite:
</b> <code>ip
</code></p>
1057 <dt><code>ct_next;
</code></dt>
1060 Apply connection tracking to the flow, initializing
1061 <code>ct_state
</code> for matching in later tables.
1062 Automatically moves on to the next table, as if followed by
1067 As a side effect, IP fragments will be reassembled for matching.
1068 If a fragmented packet is output, then it will be sent with any
1069 overlapping fragments squashed. The connection tracking state is
1070 scoped by the logical port when the action is used in a flow for
1071 a logical switch, so overlapping addresses may be used. To allow
1072 traffic related to the matched flow, execute
<code>ct_commit
1073 </code>. Connection tracking state is scoped by the logical
1074 topology when the action is used in a flow for a router.
1078 It is possible to have actions follow
<code>ct_next
</code>,
1079 but they will not have access to any of its side-effects and
1080 is not generally useful.
1084 <dt><code>ct_commit;
</code></dt>
1085 <dt><code>ct_commit(ct_mark=
<var>value[/mask]
</var>);
</code></dt>
1086 <dt><code>ct_commit(ct_label=
<var>value[/mask]
</var>);
</code></dt>
1087 <dt><code>ct_commit(ct_mark=
<var>value[/mask]
</var>, ct_label=
<var>value[/mask]
</var>);
</code></dt>
1090 Commit the flow to the connection tracking entry associated with it
1091 by a previous call to
<code>ct_next
</code>. When
1092 <code>ct_mark=
<var>value[/mask]
</var></code> and/or
1093 <code>ct_label=
<var>value[/mask]
</var></code> are supplied,
1094 <code>ct_mark
</code> and/or
<code>ct_label
</code> will be set to the
1095 values indicated by
<var>value[/mask]
</var> on the connection
1096 tracking entry.
<code>ct_mark
</code> is a
32-bit field.
1097 <code>ct_label
</code> is a
128-bit field. The
<var>value[/mask]
</var>
1098 should be specified in hex string if more than
64bits are to be used.
1102 Note that if you want processing to continue in the next table,
1103 you must execute the
<code>next
</code> action after
1104 <code>ct_commit
</code>. You may also leave out
<code>next
</code>
1105 which will commit connection tracking state, and then drop the
1106 packet. This could be useful for setting
<code>ct_mark
</code>
1107 on a connection tracking entry before dropping a packet,
1112 <dt><code>ct_dnat;
</code></dt>
1113 <dt><code>ct_dnat(
<var>IP
</var>);
</code></dt>
1116 <code>ct_dnat
</code> sends the packet through the DNAT zone in
1117 connection tracking table to unDNAT any packet that was DNATed in
1118 the opposite direction. The packet is then automatically sent to
1119 to the next tables as if followed by
<code>next;
</code> action.
1120 The next tables will see the changes in the packet caused by
1121 the connection tracker.
1124 <code>ct_dnat(
<var>IP
</var>)
</code> sends the packet through the
1125 DNAT zone to change the destination IP address of the packet to
1126 the one provided inside the parentheses and commits the connection.
1127 The packet is then automatically sent to the next tables as if
1128 followed by
<code>next;
</code> action. The next tables will see
1129 the changes in the packet caused by the connection tracker.
1133 <dt><code>ct_snat;
</code></dt>
1134 <dt><code>ct_snat(
<var>IP
</var>);
</code></dt>
1137 <code>ct_snat
</code> sends the packet through the SNAT zone to
1138 unSNAT any packet that was SNATed in the opposite direction. The
1139 behavior on gateway routers differs from the behavior on a
1144 On a gateway router, if the packet needs to be sent to the next
1145 tables, then it should be followed by a
<code>next;
</code>
1146 action. The next tables will not see the changes in the packet
1147 caused by the connection tracker.
1150 On a distributed router, if the connection tracker finds a
1151 connection that was SNATed in the opposite direction, then the
1152 destination IP address of the packet is UNSNATed. The packet is
1153 automatically sent to the next tables as if followed by the
1154 <code>next;
</code> action. The next tables will see the changes
1155 in the packet caused by the connection tracker.
1159 <code>ct_snat(
<var>IP
</var>)
</code> sends the packet through the
1160 SNAT zone to change the source IP address of the packet to
1161 the one provided inside the parenthesis and commits the connection.
1162 The packet is then automatically sent to the next tables as if
1163 followed by
<code>next;
</code> action. The next tables will see the
1164 changes in the packet caused by the connection tracker.
1168 <dt><code>ct_clear;
</code></dt>
1170 Clears connection tracking state.
1173 <dt><code>clone {
<var>action
</var>;
</code>...
<code> };
</code></dt>
1175 Makes a copy of the packet being processed and executes each
1176 <code>action
</code> on the copy. Actions following the
1177 <var>clone
</var> action, if any, apply to the original, unmodified
1178 packet. This can be used as a way to ``save and restore'' the packet
1179 around a set of actions that may modify it and should not persist.
1182 <dt><code>arp {
<var>action
</var>;
</code>...
<code> };
</code></dt>
1185 Temporarily replaces the IPv4 packet being processed by an ARP
1186 packet and executes each nested
<var>action
</var> on the ARP
1187 packet. Actions following the
<var>arp
</var> action, if any, apply
1188 to the original, unmodified packet.
1192 The ARP packet that this action operates on is initialized based on
1193 the IPv4 packet being processed, as follows. These are default
1194 values that the nested actions will probably want to change:
1198 <li><code>eth.src
</code> unchanged
</li>
1199 <li><code>eth.dst
</code> unchanged
</li>
1200 <li><code>eth.type =
0x0806</code></li>
1201 <li><code>arp.op =
1</code> (ARP request)
</li>
1202 <li><code>arp.sha
</code> copied from
<code>eth.src
</code></li>
1203 <li><code>arp.spa
</code> copied from
<code>ip4.src
</code></li>
1204 <li><code>arp.tha =
00:
00:
00:
00:
00:
00</code></li>
1205 <li><code>arp.tpa
</code> copied from
<code>ip4.dst
</code></li>
1209 The ARP packet has the same VLAN header, if any, as the IP packet
1213 <p><b>Prerequisite:
</b> <code>ip4
</code></p>
1216 <dt><code>get_arp(
<var>P
</var>,
<var>A
</var>);
</code></dt>
1220 <b>Parameters
</b>: logical port string field
<var>P
</var>,
32-bit
1221 IP address field
<var>A
</var>.
1225 Looks up
<var>A
</var> in
<var>P
</var>'s mac binding table.
1226 If an entry is found, stores its Ethernet address in
1227 <code>eth.dst
</code>, otherwise stores
1228 <code>00:
00:
00:
00:
00:
00</code> in
<code>eth.dst
</code>.
1231 <p><b>Example:
</b> <code>get_arp(outport, ip4.dst);
</code></p>
1235 <code>put_arp(
<var>P
</var>,
<var>A
</var>,
<var>E
</var>);
</code>
1240 <b>Parameters
</b>: logical port string field
<var>P
</var>,
32-bit
1241 IP address field
<var>A
</var>,
48-bit Ethernet address field
1246 Adds or updates the entry for IP address
<var>A
</var> in
1247 logical port
<var>P
</var>'s mac binding table, setting its
1248 Ethernet address to
<var>E
</var>.
1251 <p><b>Example:
</b> <code>put_arp(inport, arp.spa, arp.sha);
</code></p>
1255 <code>nd_na {
<var>action
</var>;
</code>...
<code> };
</code>
1260 Temporarily replaces the IPv6 neighbor solicitation packet
1261 being processed by an IPv6 neighbor advertisement (NA)
1262 packet and executes each nested
<var>action
</var> on the NA
1263 packet. Actions following the
<code>nd_na
</code> action,
1264 if any, apply to the original, unmodified packet.
1268 The NA packet that this action operates on is initialized based on
1269 the IPv6 packet being processed, as follows. These are default
1270 values that the nested actions will probably want to change:
1274 <li><code>eth.dst
</code> exchanged with
<code>eth.src
</code></li>
1275 <li><code>eth.type =
0x86dd</code></li>
1276 <li><code>ip6.dst
</code> copied from
<code>ip6.src
</code></li>
1277 <li><code>ip6.src
</code> copied from
<code>nd.target
</code></li>
1278 <li><code>icmp6.type =
136</code> (Neighbor Advertisement)
</li>
1279 <li><code>nd.target
</code> unchanged
</li>
1280 <li><code>nd.sll =
00:
00:
00:
00:
00:
00</code></li>
1281 <li><code>nd.tll
</code> copied from
<code>eth.dst
</code></li>
1285 The ND packet has the same VLAN header, if any, as the IPv6 packet
1290 <b>Prerequisite:
</b> <code>nd_ns
</code>
1294 <dt><code>get_nd(
<var>P
</var>,
<var>A
</var>);
</code></dt>
1298 <b>Parameters
</b>: logical port string field
<var>P
</var>,
128-bit
1299 IPv6 address field
<var>A
</var>.
1303 Looks up
<var>A
</var> in
<var>P
</var>'s mac binding table.
1304 If an entry is found, stores its Ethernet address in
1305 <code>eth.dst
</code>, otherwise stores
1306 <code>00:
00:
00:
00:
00:
00</code> in
<code>eth.dst
</code>.
1309 <p><b>Example:
</b> <code>get_nd(outport, ip6.dst);
</code></p>
1313 <code>put_nd(
<var>P
</var>,
<var>A
</var>,
<var>E
</var>);
</code>
1318 <b>Parameters
</b>: logical port string field
<var>P
</var>,
1319 128-bit IPv6 address field
<var>A
</var>,
48-bit Ethernet
1320 address field
<var>E
</var>.
1324 Adds or updates the entry for IPv6 address
<var>A
</var> in
1325 logical port
<var>P
</var>'s mac binding table, setting its
1326 Ethernet address to
<var>E
</var>.
1329 <p><b>Example:
</b> <code>put_nd(inport, nd.target, nd.tll);
</code></p>
1333 <code><var>R
</var> = put_dhcp_opts(
<var>D1
</var> =
<var>V1
</var>,
<var>D2
</var> =
<var>V2
</var>, ...,
<var>Dn
</var> =
<var>Vn
</var>);
</code>
1338 <b>Parameters
</b>: one or more DHCP option/value pairs, which must
1339 include an
<code>offerip
</code> option (with code
0).
1343 <b>Result
</b>: stored to a
1-bit subfield
<var>R
</var>.
1347 Valid only in the ingress pipeline.
1351 When this action is applied to a DHCP request packet (DHCPDISCOVER
1352 or DHCPREQUEST), it changes the packet into a DHCP reply (DHCPOFFER
1353 or DHCPACK, respectively), replaces the options by those specified
1354 as parameters, and stores
1 in
<var>R
</var>.
1358 When this action is applied to a non-DHCP packet or a DHCP packet
1359 that is not DHCPDISCOVER or DHCPREQUEST, it leaves the packet
1360 unchanged and stores
0 in
<var>R
</var>.
1364 The contents of the
<ref table=
"DHCP_Option"/> table control the
1365 DHCP option names and values that this action supports.
1371 reg0[
0] = put_dhcp_opts(offerip =
10.0.0.2, router =
10.0.0.1,
1372 netmask =
255.255.255.0, dns_server = {
8.8.8.8,
7.7.7.7});
1378 <code><var>R
</var> = put_dhcpv6_opts(
<var>D1
</var> =
<var>V1
</var>,
<var>D2
</var> =
<var>V2
</var>, ...,
<var>Dn
</var> =
<var>Vn
</var>);
</code>
1383 <b>Parameters
</b>: one or more DHCPv6 option/value pairs.
1387 <b>Result
</b>: stored to a
1-bit subfield
<var>R
</var>.
1391 Valid only in the ingress pipeline.
1395 When this action is applied to a DHCPv6 request packet, it changes
1396 the packet into a DHCPv6 reply, replaces the options by those
1397 specified as parameters, and stores
1 in
<var>R
</var>.
1401 When this action is applied to a non-DHCPv6 packet or an invalid
1402 DHCPv6 request packet , it leaves the packet unchanged and stores
1407 The contents of the
<ref table=
"DHCPv6_Options"/> table control the
1408 DHCPv6 option names and values that this action supports.
1414 reg0[
3] = put_dhcpv6_opts(ia_addr = aef0::
4, server_id =
00:
00:
00:
00:
10:
02,
1415 dns_server={ae70::
1,ae70::
2});
1421 <code>set_queue(
<var>queue_number
</var>);
</code>
1426 <b>Parameters
</b>: Queue number
<var>queue_number
</var>, in the range
0 to
61440.
1430 This is a logical equivalent of the OpenFlow
<code>set_queue
</code>
1431 action. It affects packets that egress a hypervisor through a
1432 physical interface. For nonzero
<var>queue_number
</var>, it
1433 configures packet queuing to match the settings configured for the
1434 <ref table=
"Port_Binding"/> with
1435 <code>options:qdisc_queue_id
</code> matching
1436 <var>queue_number
</var>. When
<var>queue_number
</var> is zero, it
1437 resets queuing to the default strategy.
1440 <p><b>Example:
</b> <code>set_queue(
10);
</code></p>
1443 <dt><code>ct_lb;
</code></dt>
1444 <dt><code>ct_lb(
</code><var>ip
</var>[
<code>:
</code><var>port
</var>]...
<code>);
</code></dt>
1447 With one or more arguments,
<code>ct_lb
</code> commits the packet
1448 to the connection tracking table and DNATs the packet's destination
1449 IP address (and port) to the IP address or addresses (and optional
1450 ports) specified in the string. If multiple comma-separated IP
1451 addresses are specified, each is given equal weight for picking the
1452 DNAT address. Processing automatically moves on to the next table,
1453 as if
<code>next;
</code> were specified, and later tables act on
1454 the packet as modified by the connection tracker. Connection
1455 tracking state is scoped by the logical port when the action is
1456 used in a flow for a logical switch, so overlapping
1457 addresses may be used. Connection tracking state is scoped by the
1458 logical topology when the action is used in a flow for a router.
1461 Without arguments,
<code>ct_lb
</code> sends the packet to the
1462 connection tracking table to NAT the packets. If the packet is
1463 part of an established connection that was previously committed to
1464 the connection tracker via
<code>ct_lb(
</code>...
<code>)
</code>, it
1465 will automatically get DNATed to the same IP address as the first
1466 packet in that connection.
1471 <code><var>R
</var> = dns_lookup();
</code>
1476 <b>Parameters
</b>: No parameters.
1480 <b>Result
</b>: stored to a
1-bit subfield
<var>R
</var>.
1484 Valid only in the ingress pipeline.
1488 When this action is applied to a valid DNS request (a UDP packet
1489 typically directed to port
53), it attempts to resolve the query
1490 using the contents of the
<ref table=
"DNS"/> table. If it is
1491 successful, it changes the packet into a DNS reply and stores
1 in
1492 <var>R
</var>. If the action is applied to a non-DNS packet, an
1493 invalid DNS request packet, or a valid DNS request for which the
1494 <ref table=
"DNS"/> table does not supply an answer, it leaves the
1495 packet unchanged and stores
0 in
<var>R
</var>.
1499 Regardless of success, the action does not make any of the changes
1500 to the flow that are necessary to direct the packet back to the
1501 requester. The logical pipeline can implement this behavior with
1502 matches and actions in later tables.
1508 reg0[
3] = dns_lookup();
1513 <b>Prerequisite:
</b> <code>udp
</code>
1519 The following actions will likely be useful later, but they have not
1520 been thought out carefully.
1524 <dt><code>icmp4 {
<var>action
</var>;
</code>...
<code> };
</code></dt>
1527 Temporarily replaces the IPv4 packet being processed by an ICMPv4
1528 packet and executes each nested
<var>action
</var> on the ICMPv4
1529 packet. Actions following the
<var>icmp4
</var> action, if any,
1530 apply to the original, unmodified packet.
1534 The ICMPv4 packet that this action operates on is initialized based
1535 on the IPv4 packet being processed, as follows. These are default
1536 values that the nested actions will probably want to change.
1537 Ethernet and IPv4 fields not listed here are not changed:
1541 <li><code>ip.proto =
1</code> (ICMPv4)
</li>
1542 <li><code>ip.frag =
0</code> (not a fragment)
</li>
1543 <li><code>icmp4.type =
3</code> (destination unreachable)
</li>
1544 <li><code>icmp4.code =
1</code> (host unreachable)
</li>
1551 <p><b>Prerequisite:
</b> <code>ip4
</code></p>
1554 <dt><code>tcp_reset;
</code></dt>
1557 This action transforms the current TCP packet according to the
1558 following pseudocode:
1565 tcp.ack = tcp.seq + length(tcp.payload);
1572 Then, the action drops all TCP options and payload data, and
1573 updates the TCP checksum.
1580 <p><b>Prerequisite:
</b> <code>tcp
</code></p>
1585 <column name=
"external_ids" key=
"stage-name">
1586 Human-readable name for this flow's stage in the pipeline.
1589 <column name=
"external_ids" key=
"stage-hint" type='{
"type":
"uuid"}'
>
1590 UUID of a
<ref db=
"OVN_Northbound"/> record that caused this logical flow
1591 to be created. Currently used only for attribute of logical flows to
1592 northbound
<ref db=
"OVN_Northbound" table=
"ACL"/> records.
1595 <column name=
"external_ids" key=
"source">
1596 Source file and line number of the code that added this flow to the
1600 <group title=
"Common Columns">
1601 The overall purpose of these columns is described under
<code>Common
1602 Columns
</code> at the beginning of this document.
1604 <column name=
"external_ids"/>
1608 <table name=
"Multicast_Group" title=
"Logical Port Multicast Groups">
1610 The rows in this table define multicast groups of logical ports.
1611 Multicast groups allow a single packet transmitted over a tunnel to a
1612 hypervisor to be delivered to multiple VMs on that hypervisor, which
1613 uses bandwidth more efficiently.
1617 Each row in this table defines a logical multicast group numbered
<ref
1618 column=
"tunnel_key"/> within
<ref column=
"datapath"/>, whose logical
1619 ports are listed in the
<ref column=
"ports"/> column.
1622 <column name=
"datapath">
1623 The logical datapath in which the multicast group resides.
1626 <column name=
"tunnel_key">
1627 The value used to designate this logical egress port in tunnel
1628 encapsulations. An index forces the key to be unique within the
<ref
1629 column=
"datapath"/>. The unusual range ensures that multicast group IDs
1630 do not overlap with logical port IDs.
1633 <column name=
"name">
1635 The logical multicast group's name. An index forces the name to be
1636 unique within the
<ref column=
"datapath"/>. Logical flows in the
1637 ingress pipeline may output to the group just as for individual logical
1638 ports, by assigning the group's name to
<code>outport
</code> and
1639 executing an
<code>output
</code> action.
1643 Multicast group names and logical port names share a single namespace
1644 and thus should not overlap (but the database schema cannot enforce
1645 this). To try to avoid conflicts,
<code>ovn-northd
</code> uses names
1646 that begin with
<code>_MC_
</code>.
1650 <column name=
"ports">
1651 The logical ports included in the multicast group. All of these ports
1652 must be in the
<ref column=
"datapath"/> logical datapath (but the
1653 database schema cannot enforce this).
1657 <table name=
"Datapath_Binding" title=
"Physical-Logical Datapath Bindings">
1659 Each row in this table represents a logical datapath, which implements a
1660 logical pipeline among the ports in the
<ref table=
"Port_Binding"/> table
1661 associated with it. In practice, the pipeline in a given logical
1662 datapath implements either a logical switch or a logical router.
1666 The main purpose of a row in this table is provide a physical binding for
1667 a logical datapath. A logical datapath does not have a physical
1668 location, so its physical binding information is limited: just
<ref
1669 column=
"tunnel_key"/>. The rest of the data in this table does not
1670 affect packet forwarding.
1673 <column name=
"tunnel_key">
1674 The tunnel key value to which the logical datapath is bound.
1675 The
<code>Tunnel Encapsulation
</code> section in
1676 <code>ovn-architecture
</code>(
7) describes how tunnel keys are
1677 constructed for each supported encapsulation.
1680 <group title=
"OVN_Northbound Relationship">
1682 Each row in
<ref table=
"Datapath_Binding"/> is associated with some
1683 logical datapath.
<code>ovn-northd
</code> uses these keys to track the
1684 association of a logical datapath with concepts in the
<ref
1685 db=
"OVN_Northbound"/> database.
1688 <column name=
"external_ids" key=
"logical-switch" type='{
"type":
"uuid"}'
>
1689 For a logical datapath that represents a logical switch,
1690 <code>ovn-northd
</code> stores in this key the UUID of the
1691 corresponding
<ref table=
"Logical_Switch" db=
"OVN_Northbound"/> row in
1692 the
<ref db=
"OVN_Northbound"/> database.
1695 <column name=
"external_ids" key=
"logical-router" type='{
"type":
"uuid"}'
>
1696 For a logical datapath that represents a logical router,
1697 <code>ovn-northd
</code> stores in this key the UUID of the
1698 corresponding
<ref table=
"Logical_Router" db=
"OVN_Northbound"/> row in
1699 the
<ref db=
"OVN_Northbound"/> database.
1702 <group title=
"Naming">
1704 <code>ovn-northd
</code> copies these from the name fields in the
<ref
1705 db=
"OVN_Northbound"/> database, either from
<ref
1706 table=
"Logical_Router" db=
"OVN_Northbound" column=
"name"/> and
<ref
1707 table=
"Logical_Router" db=
"OVN_Northbound" column=
"external_ids"
1708 key=
"neutron:router_name"/> in the
<ref table=
"Logical_Router"
1709 db=
"OVN_Northbound"/> table or from
<ref table=
"Logical_Switch"
1710 db=
"OVN_Northbound" column=
"name"/> and
<ref table=
"Logical_Switch"
1711 db=
"OVN_Northbound" column=
"external_ids"
1712 key=
"neutron:network_name"/> in the
<ref table=
"Logical_Switch"
1713 db=
"OVN_Northbound"/> table.
1716 <column name=
"external_ids" key=
"name">
1717 A name for the logical datapath.
1720 <column name=
"external_ids" key=
"name2">
1721 Another name for the logical datapath.
1726 <group title=
"Common Columns">
1727 The overall purpose of these columns is described under
<code>Common
1728 Columns
</code> at the beginning of this document.
1730 <column name=
"external_ids"/>
1734 <table name=
"Port_Binding" title=
"Physical-Logical Port Bindings">
1736 Each row in this table binds a logical port to a realization. For most
1737 logical ports, this means binding to some physical location, for example
1738 by binding a logical port to a VIF that belongs to a VM running on a
1739 particular hypervisor. Other logical ports, such as logical patch ports,
1740 can be realized without a specific physical location, but their bindings
1741 are still expressed through rows in this table.
1745 For every
<code>Logical_Switch_Port
</code> record in
1746 <code>OVN_Northbound
</code> database,
<code>ovn-northd
</code>
1747 creates a record in this table.
<code>ovn-northd
</code> populates
1748 and maintains every column except the
<code>chassis
</code> column,
1749 which it leaves empty in new records.
1753 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code>
1754 populates the
<code>chassis
</code> column for the records that
1755 identify the logical ports that are located on its hypervisor/gateway,
1756 which
<code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code> in
1757 turn finds out by monitoring the local hypervisor's Open_vSwitch
1758 database, which identifies logical ports via the conventions described
1759 in
<code>IntegrationGuide.rst
</code>. (The exceptions are for
1760 <code>Port_Binding
</code> records with
<code>type
</code> of
1761 <code>l3gateway
</code>, whose locations are identified by
1762 <code>ovn-northd
</code> via the
<code>options:l3gateway-chassis
</code>
1763 column in this table.
<code>ovn-controller
</code> is still responsible
1764 to populate the
<code>chassis
</code> column.)
1768 When a chassis shuts down gracefully, it should clean up the
1769 <code>chassis
</code> column that it previously had populated.
1770 (This is not critical because resources hosted on the chassis are equally
1771 unreachable regardless of whether their rows are present.) To handle the
1772 case where a VM is shut down abruptly on one chassis, then brought up
1773 again on a different one,
1774 <code>ovn-controller
</code>/
<code>ovn-controller-vtep
</code> must
1775 overwrite the
<code>chassis
</code> column with new information.
1778 <group title=
"Core Features">
1779 <column name=
"datapath">
1780 The logical datapath to which the logical port belongs.
1783 <column name=
"logical_port">
1784 A logical port, taken from
<ref table=
"Logical_Switch_Port"
1785 column=
"name" db=
"OVN_Northbound"/> in the OVN_Northbound
1786 database's
<ref table=
"Logical_Switch_Port" db=
"OVN_Northbound"/>
1787 table. OVN does not prescribe a particular format for the
1791 <column name=
"chassis">
1792 The meaning of this column depends on the value of the
<ref column=
"type"/>
1793 column. This is the meaning for each
<ref column=
"type"/>
1796 <dt>(empty string)
</dt>
1798 The physical location of the logical port. To successfully identify a
1799 chassis, this column must be a
<ref table=
"Chassis"/> record. This is
1800 populated by
<code>ovn-controller
</code>.
1805 The physical location of the hardware_vtep gateway. To successfully
1806 identify a chassis, this column must be a
<ref table=
"Chassis"/> record.
1807 This is populated by
<code>ovn-controller-vtep
</code>.
1812 Always empty. A localnet port is realized on every chassis that has
1813 connectivity to the corresponding physical network.
1818 Always empty. A localport port is present on every chassis.
1823 The physical location of the L3 gateway. To successfully identify a
1824 chassis, this column must be a
<ref table=
"Chassis"/> record. This is
1825 populated by
<code>ovn-controller
</code> based on the value of
1826 the
<code>options:l3gateway-chassis
</code> column in this table.
1831 The physical location of this L2 gateway. To successfully identify a
1832 chassis, this column must be a
<ref table=
"Chassis"/> record.
1833 This is populated by
<code>ovn-controller
</code> based on the value
1834 of the
<code>options:l2gateway-chassis
</code> column in this table.
1840 <column name=
"gateway_chassis">
1842 A list of
<ref table=
"Gateway_Chassis"/>.
1845 This should only be populated for ports with
1846 <ref column=
"type"/> set to
<code>chassisredirect
</code>.
1847 This column defines the list of chassis used as gateways where
1848 traffic will be redirected through.
1852 <column name=
"tunnel_key">
1854 A number that represents the logical port in the key (e.g. STT key or
1855 Geneve TLV) field carried within tunnel protocol packets.
1859 The tunnel ID must be unique within the scope of a logical datapath.
1865 The Ethernet address or addresses used as a source address on the
1866 logical port, each in the form
1867 <var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>:
<var>xx
</var>.
1868 The string
<code>unknown
</code> is also allowed to indicate that the
1869 logical port has an unknown set of (additional) source addresses.
1873 A VM interface would ordinarily have a single Ethernet address. A
1874 gateway port might initially only have
<code>unknown
</code>, and then
1875 add MAC addresses to the set as it learns new source addresses.
1879 <column name=
"type">
1881 A type for this logical port. Logical ports can be used to model other
1882 types of connectivity into an OVN logical switch. The following types
1887 <dt>(empty string)
</dt>
1888 <dd>VM (or VIF) interface.
</dd>
1890 <dt><code>patch
</code></dt>
1892 One of a pair of logical ports that act as if connected by a patch
1893 cable. Useful for connecting two logical datapaths, e.g. to connect
1894 a logical router to a logical switch or to another logical router.
1897 <dt><code>l3gateway
</code></dt>
1899 One of a pair of logical ports that act as if connected by a patch
1900 cable across multiple chassis. Useful for connecting a logical
1901 switch with a Gateway router (which is only resident on a
1902 particular chassis).
1905 <dt><code>localnet
</code></dt>
1907 A connection to a locally accessible network from each
1908 <code>ovn-controller
</code> instance. A logical switch can only
1909 have a single
<code>localnet
</code> port attached. This is used
1910 to model direct connectivity to an existing network.
1913 <dt><code>localport
</code></dt>
1915 A connection to a local VIF. Traffic that arrives on a
1916 <code>localport
</code> is never forwarded over a tunnel to another
1917 chassis. These ports are present on every chassis and have the same
1918 address in all of them. This is used to model connectivity to local
1919 services that run on every hypervisor.
1922 <dt><code>l2gateway
</code></dt>
1924 An L2 connection to a physical network. The chassis this
1925 <ref table=
"Port_Binding"/> is bound to will serve as
1926 an L2 gateway to the network named by
1927 <ref column=
"options" table=
"Port_Binding"/>:
<code>network_name
</code>.
1930 <dt><code>vtep
</code></dt>
1932 A port to a logical switch on a VTEP gateway chassis. In order to
1933 get this port correctly recognized by the OVN controller, the
<ref
1935 table=
"Port_Binding"/>:
<code>vtep-physical-switch
</code> and
<ref
1937 table=
"Port_Binding"/>:
<code>vtep-logical-switch
</code> must also
1941 <dt><code>chassisredirect
</code></dt>
1943 A logical port that represents a particular instance, bound
1944 to a specific chassis, of an otherwise distributed parent
1945 port (e.g. of type
<code>patch
</code>). A
1946 <code>chassisredirect
</code> port should never be used as an
1947 <code>inport
</code>. When an ingress pipeline sets the
1948 <code>outport
</code>, it may set the value to a logical port
1949 of type
<code>chassisredirect
</code>. This will cause the
1950 packet to be directed to a specific chassis to carry out the
1951 egress pipeline. At the beginning of the egress pipeline,
1952 the
<code>outport
</code> will be reset to the value of the
1959 <group title=
"Patch Options">
1961 These options apply to logical ports with
<ref column=
"type"/> of
1965 <column name=
"options" key=
"peer">
1966 The
<ref column=
"logical_port"/> in the
<ref table=
"Port_Binding"/>
1967 record for the other side of the patch. The named
<ref
1968 column=
"logical_port"/> must specify this
<ref column=
"logical_port"/>
1969 in its own
<code>peer
</code> option. That is, the two patch logical
1970 ports must have reversed
<ref column=
"logical_port"/> and
1971 <code>peer
</code> values.
1974 <column name=
"nat_addresses">
1975 MAC address followed by a list of SNAT and DNAT external IP
1976 addresses, followed by
1977 <code>is_chassis_resident(
"<var>lport</var>")
</code>, where
1978 <var>lport
</var> is the name of a logical port on the same chassis
1979 where the corresponding NAT rules are applied. This is used to
1980 send gratuitous ARPs for SNAT and DNAT external IP addresses via
1981 <code>localnet
</code>, from the chassis where
<var>lport
</var>
1982 resides. Example:
<code>80:fa:
5b:
06:
72:b7
158.36.44.22
1983 158.36.44.24 is_chassis_resident(
"foo1")
</code>. This would result
1984 in generation of gratuitous ARPs for IP addresses
158.36.44.22 and
1985 158.36.44.24 with a MAC address of
80:fa:
5b:
06:
72:b7 from the chassis
1986 where the logical port
"foo1" resides.
1990 <group title=
"L3 Gateway Options">
1992 These options apply to logical ports with
<ref column=
"type"/> of
1993 <code>l3gateway
</code>.
1996 <column name=
"options" key=
"peer">
1997 The
<ref column=
"logical_port"/> in the
<ref table=
"Port_Binding"/>
1998 record for the other side of the 'l3gateway' port. The named
<ref
1999 column=
"logical_port"/> must specify this
<ref column=
"logical_port"/>
2000 in its own
<code>peer
</code> option. That is, the two 'l3gateway'
2001 logical ports must have reversed
<ref column=
"logical_port"/> and
2002 <code>peer
</code> values.
2005 <column name=
"options" key=
"l3gateway-chassis">
2006 The
<code>chassis
</code> in which the port resides.
2009 <column name=
"options" key=
"nat-addresses">
2010 MAC address of the
<code>l3gateway
</code> port followed by a list of
2011 SNAT and DNAT external IP addresses. This is used to send gratuitous
2012 ARPs for SNAT and DNAT external IP addresses via
<code>localnet
</code>.
2013 Example:
<code>80:fa:
5b:
06:
72:b7
158.36.44.22 158.36.44.24</code>.
2014 This would result in generation of gratuitous ARPs for IP addresses
2015 158.36.44.22 and
158.36.44.24 with a MAC address of
80:fa:
5b:
06:
72:b7.
2016 This is used in OVS versions prior to
2.8.
2019 <column name=
"nat_addresses">
2020 MAC address of the
<code>l3gateway
</code> port followed by a list of
2021 SNAT and DNAT external IP addresses. This is used to send gratuitous
2022 ARPs for SNAT and DNAT external IP addresses via
<code>localnet
</code>.
2023 Example:
<code>80:fa:
5b:
06:
72:b7
158.36.44.22 158.36.44.24</code>.
2024 This would result in generation of gratuitous ARPs for IP addresses
2025 158.36.44.22 and
158.36.44.24 with a MAC address of
80:fa:
5b:
06:
72:b7.
2026 This is used in OVS version
2.8 and later versions.
2030 <group title=
"Localnet Options">
2032 These options apply to logical ports with
<ref column=
"type"/> of
2033 <code>localnet
</code>.
2036 <column name=
"options" key=
"network_name">
2037 Required.
<code>ovn-controller
</code> uses the configuration entry
2038 <code>ovn-bridge-mappings
</code> to determine how to connect to this
2039 network.
<code>ovn-bridge-mappings
</code> is a list of network names
2040 mapped to a local OVS bridge that provides access to that network. An
2041 example of configuring
<code>ovn-bridge-mappings
</code> would be:
2043 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1
</pre>
2046 When a logical switch has a
<code>localnet
</code> port attached,
2047 every chassis that may have a local vif attached to that logical
2048 switch must have a bridge mapping configured to reach that
2049 <code>localnet
</code>. Traffic that arrives on a
2050 <code>localnet
</code> port is never forwarded over a tunnel to
2056 If set, indicates that the port represents a connection to a specific
2057 VLAN on a locally accessible network. The VLAN ID is used to match
2058 incoming traffic and is also added to outgoing traffic.
2062 <group title=
"L2 Gateway Options">
2064 These options apply to logical ports with
<ref column=
"type"/> of
2065 <code>l2gateway
</code>.
2068 <column name=
"options" key=
"network_name">
2069 Required.
<code>ovn-controller
</code> uses the configuration entry
2070 <code>ovn-bridge-mappings
</code> to determine how to connect to this
2071 network.
<code>ovn-bridge-mappings
</code> is a list of network names
2072 mapped to a local OVS bridge that provides access to that network. An
2073 example of configuring
<code>ovn-bridge-mappings
</code> would be:
2075 <pre>$ ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth0,physnet2:br-eth1
</pre>
2078 When a logical switch has a
<code>l2gateway
</code> port attached,
2079 the chassis that the
<code>l2gateway
</code> port is bound to
2080 must have a bridge mapping configured to reach the network
2081 identified by
<code>network_name
</code>.
2085 <column name=
"options" key=
"l2gateway-chassis">
2086 Required. The
<code>chassis
</code> in which the port resides.
2090 If set, indicates that the gateway is connected to a specific
2091 VLAN on the physical network. The VLAN ID is used to match
2092 incoming traffic and is also added to outgoing traffic.
2096 <group title=
"VTEP Options">
2098 These options apply to logical ports with
<ref column=
"type"/> of
2102 <column name=
"options" key=
"vtep-physical-switch">
2103 Required. The name of the VTEP gateway.
2106 <column name=
"options" key=
"vtep-logical-switch">
2107 Required. A logical switch name connected by the VTEP gateway. Must
2108 be set when
<ref column=
"type"/> is
<code>vtep
</code>.
2112 <group title=
"VMI (or VIF) Options">
2114 These options apply to logical ports with
<ref column=
"type"/> having
2118 <column name=
"options" key=
"qos_max_rate">
2119 If set, indicates the maximum rate for data sent from this interface,
2120 in bit/s. The traffic will be shaped according to this limit.
2123 <column name=
"options" key=
"qos_burst">
2124 If set, indicates the maximum burst size for data sent from this
2128 <column name=
"options" key=
"qdisc_queue_id"
2129 type='{
"type":
"integer",
"minInteger":
1,
"maxInteger":
61440}'
>
2130 Indicates the queue number on the physical device. This is same as the
2131 <code>queue_id
</code> used in OpenFlow in
<code>struct
2132 ofp_action_enqueue
</code>.
2136 <group title=
"Chassis Redirect Options">
2138 These options apply to logical ports with
<ref column=
"type"/>
2139 of
<code>chassisredirect
</code>.
2142 <column name=
"options" key=
"distributed-port">
2143 The name of the distributed port for which this
2144 <code>chassisredirect
</code> port represents a particular instance.
2147 <column name=
"options" key=
"redirect-chassis">
2148 The
<code>chassis
</code> that this
<code>chassisredirect
</code> port
2149 is bound to. This is taken from
<ref table=
"Logical_Router_Port"
2150 column=
"options" key=
"redirect-chassis" db=
"OVN_Northbound"/>
2151 in the OVN_Northbound database's
<ref table=
"Logical_Router_Port"
2152 db=
"OVN_Northbound"/> table.
2156 <group title=
"Nested Containers">
2158 These columns support containers nested within a VM. Specifically,
2159 they are used when
<ref column=
"type"/> is empty and
<ref
2160 column=
"logical_port"/> identifies the interface of a container spawned
2161 inside a VM. They are empty for containers or VMs that run directly on
2165 <column name=
"parent_port">
2167 <ref table=
"Logical_Switch_Port" column=
"parent_name"
2168 db=
"OVN_Northbound"/> in the OVN_Northbound database's
2169 <ref table=
"Logical_Switch_Port" db=
"OVN_Northbound"/> table.
2174 Identifies the VLAN tag in the network traffic associated with that
2175 container's network interface.
2179 This column is used for a different purpose when
<ref column=
"type"/>
2180 is
<code>localnet
</code> (see
<code>Localnet Options
</code>, above)
2181 or
<code>l2gateway
</code> (see
<code>L2 Gateway Options
</code>, above).
2186 <group title=
"Naming">
2187 <column name=
"external_ids" key=
"name">
2189 For a logical switch port,
<code>ovn-northd
</code> copies this from
2190 <ref table=
"Logical_Switch_Port" db=
"OVN_Northbound"
2191 column=
"external_ids" key=
"neutron:port_name"/> in the
<ref
2192 table=
"Logical_Switch_Port" db=
"OVN_Northbound"/> table in the
2193 OVN_Northbound database, if it is a nonempty string.
2197 For a logical switch port,
<code>ovn-northd
</code> does not currently
2203 <group title=
"Common Columns">
2204 <column name=
"external_ids">
2206 See
<em>External IDs
</em> at the beginning of this document.
2210 The
<code>ovn-northd
</code> program populates this column with
2211 all entries into the
<ref column=
"external_ids"/> column of the
2212 <ref table=
"Logical_Switch_Port"/> table of the
2213 <ref db=
"OVN_Northbound"/> database.
2219 <table name=
"MAC_Binding" title=
"IP to MAC bindings">
2221 Each row in this table specifies a binding from an IP address to an
2222 Ethernet address that has been discovered through ARP (for IPv4) or
2223 neighbor discovery (for IPv6). This table is primarily used to discover
2224 bindings on physical networks, because IP-to-MAC bindings for virtual
2225 machines are usually populated statically into the
<ref
2226 table=
"Port_Binding"/> table.
2230 This table expresses a functional relationship:
<ref
2231 table=
"MAC_Binding"/>(
<ref column=
"logical_port"/>,
<ref column=
"ip"/>) =
2232 <ref column=
"mac"/>.
2236 In outline, the lifetime of a logical router's MAC binding looks like
2242 On hypervisor
1, a logical router determines that a packet should be
2243 forwarded to IP address
<var>A
</var> on one of its router ports. It
2244 uses its logical flow table to determine that
<var>A
</var> lacks a
2245 static IP-to-MAC binding and the
<code>get_arp
</code> action to
2246 determine that it lacks a dynamic IP-to-MAC binding.
2250 Using an OVN logical
<code>arp
</code> action, the logical router
2251 generates and sends a broadcast ARP request to the router port. It
2252 drops the IP packet.
2256 The logical switch attached to the router port delivers the ARP request
2257 to all of its ports. (It might make sense to deliver it only to ports
2258 that have no static IP-to-MAC bindings, but this could also be
2259 surprising behavior.)
2263 A host or VM on hypervisor
2 (which might be the same as hypervisor
1)
2264 attached to the logical switch owns the IP address in question. It
2265 composes an ARP reply and unicasts it to the logical router port's
2270 The logical switch delivers the ARP reply to the logical router port.
2274 The logical router flow table executes a
<code>put_arp
</code> action.
2275 To record the IP-to-MAC binding,
<code>ovn-controller
</code> adds a row
2276 to the
<ref table=
"MAC_Binding"/> table.
2280 On hypervisor
1,
<code>ovn-controller
</code> receives the updated
<ref
2281 table=
"MAC_Binding"/> table from the OVN southbound database. The next
2282 packet destined to
<var>A
</var> through the logical router is sent
2283 directly to the bound Ethernet address.
2287 <column name=
"logical_port">
2288 The logical port on which the binding was discovered.
2292 The bound IP address.
2296 The Ethernet address to which the IP is bound.
2298 <column name=
"datapath">
2299 The logical datapath to which the logical port belongs.
2303 <table name=
"DHCP_Options" title=
"DHCP Options supported by native OVN DHCP">
2305 Each row in this table stores the DHCP Options supported by native OVN
2306 DHCP.
<code>ovn-northd
</code> populates this table with the supported
2307 DHCP options.
<code>ovn-controller
</code> looks up this table to get the
2308 DHCP codes of the DHCP options defined in the
"put_dhcp_opts" action.
2309 Please refer to the RFC
2132 <code>"https://tools.ietf.org/html/rfc2132"</code>
2310 for the possible list of DHCP options that can be defined here.
2313 <column name=
"name">
2315 Name of the DHCP option.
2319 Example.
name=
"router"
2323 <column name=
"code">
2325 DHCP option code for the DHCP option as defined in the RFC
2132.
2333 <column name=
"type">
2335 Data type of the DHCP option code.
2339 <dt><code>value: bool
</code></dt>
2342 This indicates that the value of the DHCP option is a bool.
2346 Example.
"name=ip_forward_enable",
"code=19",
"type=bool".
2350 put_dhcp_opts(..., ip_forward_enable =
1,...)
2354 <dt><code>value: uint8
</code></dt>
2357 This indicates that the value of the DHCP option is an unsigned
2362 Example.
"name=default_ttl",
"code=23",
"type=uint8".
2366 put_dhcp_opts(..., default_ttl =
50,...)
2370 <dt><code>value: uint16
</code></dt>
2373 This indicates that the value of the DHCP option is an unsigned
2378 Example.
"name=mtu",
"code=26",
"type=uint16".
2382 put_dhcp_opts(..., mtu =
1450,...)
2386 <dt><code>value: uint32
</code></dt>
2389 This indicates that the value of the DHCP option is an unsigned
2394 Example.
"name=lease_time",
"code=51",
"type=uint32".
2398 put_dhcp_opts(..., lease_time =
86400,...)
2402 <dt><code>value: ipv4
</code></dt>
2405 This indicates that the value of the DHCP option is an IPv4
2406 address or addresses.
2410 Example.
"name=router",
"code=3",
"type=ipv4".
2414 put_dhcp_opts(..., router =
10.0.0.1,...)
2418 Example.
"name=dns_server",
"code=6",
"type=ipv4".
2422 put_dhcp_opts(..., dns_server = {
8.8.8.8 7.7.7.7},...)
2426 <dt><code>value: static_routes
</code></dt>
2429 This indicates that the value of the DHCP option contains a pair of
2430 IPv4 route and next hop addresses.
2434 Example.
"name=classless_static_route",
"code=121",
"type=static_routes".
2438 put_dhcp_opts(..., classless_static_route = {
30.0.0.0/
24,
10.0.0.4,
0.0.0.0/
0,
10.0.0.1}...)
2442 <dt><code>value: str
</code></dt>
2445 This indicates that the value of the DHCP option is a string.
2449 Example.
"name=host_name",
"code=12",
"type=str".
2456 <table name=
"DHCPv6_Options" title=
"DHCPv6 Options supported by native OVN DHCPv6">
2458 Each row in this table stores the DHCPv6 Options supported by native OVN
2459 DHCPv6.
<code>ovn-northd
</code> populates this table with the supported
2460 DHCPv6 options.
<code>ovn-controller
</code> looks up this table to get
2461 the DHCPv6 codes of the DHCPv6 options defined in the
2462 <code>put_dhcpv6_opts
</code> action. Please refer to RFC
3315 and RFC
2463 3646 for the list of DHCPv6 options that can be defined here.
2466 <column name=
"name">
2468 Name of the DHCPv6 option.
2472 Example.
name=
"ia_addr"
2476 <column name=
"code">
2478 DHCPv6 option code for the DHCPv6 option as defined in the appropriate
2487 <column name=
"type">
2489 Data type of the DHCPv6 option code.
2493 <dt><code>value: ipv6
</code></dt>
2496 This indicates that the value of the DHCPv6 option is an IPv6
2501 Example.
"name=ia_addr",
"code=5",
"type=ipv6".
2505 put_dhcpv6_opts(..., ia_addr = ae70::
4,...)
2509 <dt><code>value: str
</code></dt>
2512 This indicates that the value of the DHCPv6 option is a string.
2516 Example.
"name=domain_search",
"code=24",
"type=str".
2520 put_dhcpv6_opts(..., domain_search = ovn.domain,...)
2524 <dt><code>value: mac
</code></dt>
2527 This indicates that the value of the DHCPv6 option is a MAC address.
2531 Example.
"name=server_id",
"code=2",
"type=mac".
2535 put_dhcpv6_opts(..., server_id =
01:
02:
03:
04L05:
06,...)
2541 <table name=
"Connection" title=
"OVSDB client connections.">
2543 Configuration for a database connection to an Open vSwitch database
2548 This table primarily configures the Open vSwitch database server
2549 (
<code>ovsdb-server
</code>).
2553 The Open vSwitch database server can initiate and maintain active
2554 connections to remote clients. It can also listen for database
2558 <group title=
"Core Features">
2559 <column name=
"target">
2560 <p>Connection methods for clients.
</p>
2562 The following connection methods are currently supported:
2565 <dt><code>ssl:
<var>ip
</var></code>[
<code>:
<var>port
</var></code>]
</dt>
2568 The specified SSL
<var>port
</var> on the host at the given
2569 <var>ip
</var>, which must be expressed as an IP address
2570 (not a DNS name). A valid SSL configuration must be provided
2571 when this form is used, this configuration can be specified
2572 via command-line options or the
<ref table=
"SSL"/> table.
2575 If
<var>port
</var> is not specified, it defaults to
6640.
2578 SSL support is an optional feature that is not always
2579 built as part of Open vSwitch.
2583 <dt><code>tcp:
<var>ip
</var></code>[
<code>:
<var>port
</var></code>]
</dt>
2586 The specified TCP
<var>port
</var> on the host at the given
2587 <var>ip
</var>, which must be expressed as an IP address (not a
2588 DNS name), where
<var>ip
</var> can be IPv4 or IPv6 address. If
2589 <var>ip
</var> is an IPv6 address, wrap it in square brackets,
2590 e.g.
<code>tcp:[::
1]:
6640</code>.
2593 If
<var>port
</var> is not specified, it defaults to
6640.
2596 <dt><code>pssl:
</code>[
<var>port
</var>][
<code>:
<var>ip
</var></code>]
</dt>
2599 Listens for SSL connections on the specified TCP
<var>port
</var>.
2600 Specify
0 for
<var>port
</var> to have the kernel automatically
2601 choose an available port. If
<var>ip
</var>, which must be
2602 expressed as an IP address (not a DNS name), is specified, then
2603 connections are restricted to the specified local IP address
2604 (either IPv4 or IPv6 address). If
<var>ip
</var> is an IPv6
2605 address, wrap in square brackets,
2606 e.g.
<code>pssl:
6640:[::
1]
</code>. If
<var>ip
</var> is not
2607 specified then it listens only on IPv4 (but not IPv6) addresses.
2608 A valid SSL configuration must be provided when this form is used,
2609 this can be specified either via command-line options or the
2610 <ref table=
"SSL"/> table.
2613 If
<var>port
</var> is not specified, it defaults to
6640.
2616 SSL support is an optional feature that is not always built as
2617 part of Open vSwitch.
2620 <dt><code>ptcp:
</code>[
<var>port
</var>][
<code>:
<var>ip
</var></code>]
</dt>
2623 Listens for connections on the specified TCP
<var>port
</var>.
2624 Specify
0 for
<var>port
</var> to have the kernel automatically
2625 choose an available port. If
<var>ip
</var>, which must be
2626 expressed as an IP address (not a DNS name), is specified, then
2627 connections are restricted to the specified local IP address
2628 (either IPv4 or IPv6 address). If
<var>ip
</var> is an IPv6
2629 address, wrap it in square brackets,
2630 e.g.
<code>ptcp:
6640:[::
1]
</code>. If
<var>ip
</var> is not
2631 specified then it listens only on IPv4 addresses.
2634 If
<var>port
</var> is not specified, it defaults to
6640.
2638 <p>When multiple clients are configured, the
<ref column=
"target"/>
2639 values must be unique. Duplicate
<ref column=
"target"/> values yield
2640 unspecified results.
</p>
2643 <column name=
"read_only">
2644 <code>true
</code> to restrict these connections to read-only
2645 transactions,
<code>false
</code> to allow them to modify the database.
2647 <column name=
"role">
2648 String containing role name for this connection entry.
2652 <group title=
"Client Failure Detection and Handling">
2653 <column name=
"max_backoff">
2654 Maximum number of milliseconds to wait between connection attempts.
2655 Default is implementation-specific.
2658 <column name=
"inactivity_probe">
2659 Maximum number of milliseconds of idle time on connection to the client
2660 before sending an inactivity probe message. If Open vSwitch does not
2661 communicate with the client for the specified number of seconds, it
2662 will send a probe. If a response is not received for the same
2663 additional amount of time, Open vSwitch assumes the connection has been
2664 broken and attempts to reconnect. Default is implementation-specific.
2665 A value of
0 disables inactivity probes.
2669 <group title=
"Status">
2671 Key-value pair of
<ref column=
"is_connected"/> is always updated.
2672 Other key-value pairs in the status columns may be updated depends
2673 on the
<ref column=
"target"/> type.
2677 When
<ref column=
"target"/> specifies a connection method that
2678 listens for inbound connections (e.g.
<code>ptcp:
</code> or
2679 <code>punix:
</code>), both
<ref column=
"n_connections"/> and
2680 <ref column=
"is_connected"/> may also be updated while the
2681 remaining key-value pairs are omitted.
2685 On the other hand, when
<ref column=
"target"/> specifies an
2686 outbound connection, all key-value pairs may be updated, except
2687 the above-mentioned two key-value pairs associated with inbound
2688 connection targets. They are omitted.
2691 <column name=
"is_connected">
2692 <code>true
</code> if currently connected to this client,
2693 <code>false
</code> otherwise.
2696 <column name=
"status" key=
"last_error">
2697 A human-readable description of the last error on the connection
2698 to the manager; i.e.
<code>strerror(errno)
</code>. This key
2699 will exist only if an error has occurred.
2702 <column name=
"status" key=
"state"
2703 type='{
"type":
"string",
"enum": [
"set", [
"VOID",
"BACKOFF",
"CONNECTING",
"ACTIVE",
"IDLE"]]}'
>
2705 The state of the connection to the manager:
2708 <dt><code>VOID
</code></dt>
2709 <dd>Connection is disabled.
</dd>
2711 <dt><code>BACKOFF
</code></dt>
2712 <dd>Attempting to reconnect at an increasing period.
</dd>
2714 <dt><code>CONNECTING
</code></dt>
2715 <dd>Attempting to connect.
</dd>
2717 <dt><code>ACTIVE
</code></dt>
2718 <dd>Connected, remote host responsive.
</dd>
2720 <dt><code>IDLE
</code></dt>
2721 <dd>Connection is idle. Waiting for response to keep-alive.
</dd>
2724 These values may change in the future. They are provided only for
2729 <column name=
"status" key=
"sec_since_connect"
2730 type='{
"type":
"integer",
"minInteger":
0}'
>
2731 The amount of time since this client last successfully connected
2732 to the database (in seconds). Value is empty if client has never
2733 successfully been connected.
2736 <column name=
"status" key=
"sec_since_disconnect"
2737 type='{
"type":
"integer",
"minInteger":
0}'
>
2738 The amount of time since this client last disconnected from the
2739 database (in seconds). Value is empty if client has never
2743 <column name=
"status" key=
"locks_held">
2744 Space-separated list of the names of OVSDB locks that the connection
2745 holds. Omitted if the connection does not hold any locks.
2748 <column name=
"status" key=
"locks_waiting">
2749 Space-separated list of the names of OVSDB locks that the connection is
2750 currently waiting to acquire. Omitted if the connection is not waiting
2754 <column name=
"status" key=
"locks_lost">
2755 Space-separated list of the names of OVSDB locks that the connection
2756 has had stolen by another OVSDB client. Omitted if no locks have been
2757 stolen from this connection.
2760 <column name=
"status" key=
"n_connections"
2761 type='{
"type":
"integer",
"minInteger":
2}'
>
2762 When
<ref column=
"target"/> specifies a connection method that
2763 listens for inbound connections (e.g.
<code>ptcp:
</code> or
2764 <code>pssl:
</code>) and more than one connection is actually active,
2765 the value is the number of active connections. Otherwise, this
2766 key-value pair is omitted.
2769 <column name=
"status" key=
"bound_port" type='{
"type":
"integer"}'
>
2770 When
<ref column=
"target"/> is
<code>ptcp:
</code> or
2771 <code>pssl:
</code>, this is the TCP port on which the OVSDB server is
2772 listening. (This is particularly useful when
<ref
2773 column=
"target"/> specifies a port of
0, allowing the kernel to
2774 choose any available port.)
2778 <group title=
"Common Columns">
2779 The overall purpose of these columns is described under
<code>Common
2780 Columns
</code> at the beginning of this document.
2782 <column name=
"external_ids"/>
2783 <column name=
"other_config"/>
2787 SSL configuration for ovn-sb database access.
2789 <column name=
"private_key">
2790 Name of a PEM file containing the private key used as the switch's
2791 identity for SSL connections to the controller.
2794 <column name=
"certificate">
2795 Name of a PEM file containing a certificate, signed by the
2796 certificate authority (CA) used by the controller and manager,
2797 that certifies the switch's private key, identifying a trustworthy
2801 <column name=
"ca_cert">
2802 Name of a PEM file containing the CA certificate used to verify
2803 that the switch is connected to a trustworthy controller.
2806 <column name=
"bootstrap_ca_cert">
2807 If set to
<code>true
</code>, then Open vSwitch will attempt to
2808 obtain the CA certificate from the controller on its first SSL
2809 connection and save it to the named PEM file. If it is successful,
2810 it will immediately drop the connection and reconnect, and from then
2811 on all SSL connections must be authenticated by a certificate signed
2812 by the CA certificate thus obtained.
<em>This option exposes the
2813 SSL connection to a man-in-the-middle attack obtaining the initial
2814 CA certificate.
</em> It may still be useful for bootstrapping.
2817 <column name=
"ssl_protocols">
2818 List of SSL protocols to be enabled for SSL connections. The default
2819 when this option is omitted is
<code>TLSv1,TLSv1.1,TLSv1.2
</code>.
2822 <column name=
"ssl_ciphers">
2823 List of ciphers (in OpenSSL cipher string format) to be supported
2824 for SSL connections. The default when this option is omitted is
2825 <code>HIGH:!aNULL:!MD5
</code>.
2828 <group title=
"Common Columns">
2829 The overall purpose of these columns is described under
<code>Common
2830 Columns
</code> at the beginning of this document.
2832 <column name=
"external_ids"/>
2835 <table name=
"DNS" title=
"Native DNS resolution">
2837 Each row in this table stores the DNS records. The OVN action
2838 <code>dns_lookup
</code> uses this table for DNS resolution.
2841 <column name=
"records">
2842 Key-value pair of DNS records with
<code>DNS query name
</code> as the key
2843 and a string of IP address(es) separated by comma or space as the
2846 <p><b>Example:
</b> "vm1.ovn.org" =
"10.0.0.4 aef0::4"</p>
2849 <column name=
"datapaths">
2850 The DNS records defined in the column
<ref column=
"records"/> will be
2851 applied only to the DNS queries originating from the datapaths defined
2855 <group title=
"Common Columns">
2856 <column name=
"external_ids">
2857 See
<em>External IDs
</em> at the beginning of this document.
2862 <table name=
"RBAC_Role">
2863 Role table for role-based access controls.
2865 <column name=
"name">
2866 The role name, corresponding to the
<code>role
</code>
2867 column in the
<code>Connection
</code> table.
2870 <column name=
"permissions">
2871 A mapping of table names to rows in the
2872 <code>RBAC_Permission
</code> table.
2875 <table name=
"RBAC_Permission">
2876 Permissions table for role-based access controls.
2878 <column name=
"table">
2879 Name of table to which this row applies.
2882 <column name=
"authorization">
2883 Set of strings identifying columns and column:key pairs to be compared
2884 with client ID. At least one match is required in order to be
2885 authorized. A zero-length string is treated as a special value
2886 indicating all clients should be considered authorized.
2889 <column name=
"insert_delete">
2890 When
"true", row insertions and authorized row
2891 deletions are permitted.
2893 <column name=
"update">
2894 Set of strings identifying columns and column:key pairs that authorized
2895 clients are allowed to modify.
2898 <table name=
"Gateway_Chassis">
2900 Association of
<ref table=
"Port_Binding"/> rows of
2901 <ref table=
"Port_Binding" column=
"type"/> <code>chassisredirect
</code> to
2902 a
<ref table=
"Chassis"/>. The traffic going out through a specific
2903 <code>chassisredirect
</code> port will be redirected to a chassis,
2904 or a set of them in high availability configurations.
2907 <column name=
"name">
2909 Name of the
<ref table=
"Gateway_Chassis"/>.
2912 A suggested, but not required naming convention is
2913 <code>${port_name}_${chassis_name}
</code>.
2917 <column name=
"chassis">
2918 The
<ref table=
"Chassis"/> to which we send the traffic.
2921 <column name=
"priority">
2922 This is the priority the specific
<ref table=
"Chassis"/> among all
2923 Gateway_Chassis belonging to the same
<ref table=
"Port_Binding"/>.
2926 <column name=
"options">
2927 Reserved for future use.
2930 <group title=
"Common Columns">
2931 The overall purpose of these columns is described under
<code>Common
2932 Columns
</code> at the beginning of this document.
2934 <column name=
"external_ids"/>
projects / mirror_ovs.git / blob